Understanding the value of corporate assets is fundamental to cybersecurity risk management. Only when the true value is known can the correct level of security be applied.

Sponsored by DocAuthority and based on Gartner's Infonomics Data Valuation Model, Ponemon Institute queried 2,827 professionals across the U.S. and UK to gauge how different business functions value different information assets. The business functions included in the research comprise IT security, product & manufacturing, legal, marketing & sales, IT, finance & accounting, and HR.

These groups were asked to put a financial cost to the hypothetical loss of 36 different information types on a per record basis -- such as R&D, M&A documents, source code and customer contracts. The results show a consistent and sometimes marked difference in value perception between different business functions.

For example, IT Security departments undervalued documents including research and development (R&D) and financial reports, while excessively prioritizing less sensitive Personally Identifiable Information (PII) data." ('Excessively' and 'less sensitive' are DocAuthority terms.)

Further examples that show what is almost a dichotomy of attitudes between ITsec and the rest of the business include ITsec valuing R&D documents at less than 50% of the business valuation ($306,504 versus $704,619 for reconstruction); and the leaking of financial reports at $131,570 versus the Financial department's valuation of $303,182.

In contrast to this, ITsec 'overvalued' monthly salary lists at $94,148, compared to HR's valuation of $57,477. "Because IT security is overly focused on PII-related data," notes the report, "this may reduce the investment in protecting far more expensive data types such as product designs, pricing or financial data. This can lead to far more expensive data breaches."

Typically, comments Larry Ponemon, chairman and founder of the Ponemon Institute, "the security and protection of business data is considered to be the responsibility of the IT Security department. Yet it's clear from this research that IT Security does not have the vitally-important context required to understand the true value of that data, and in turn create an effective strategy for defending it."

There are few CISOs who would disagree that their function needs to be better integrated with the overall business, and that their operation would function better with greater involvement from other business areas. There is, however, one caveat to this approach -- it assumes that the relevant business function actually understands the different risks.

A case in point was highlighted by Brian Bandey, a UK-based Doctor of Law specializing in international IT, internet and data protection, who published his concerns that many businesses simply do not understand GDPR, and forcefully assert they are compliant when they are not. He writes, "I fear that many organisations have internally told themselves they are GDPR Compliant so many times that they believe it. And hence 'How Dare That Be Questioned'."

Since employee data, such as salary lists, are as much protected by GDPR as customer PII, it is possible that HR is simply not factoring this cost because of a misapplied assumption of privacy law compliance. If this is the case, then maybe ITsec's valuation is the more correct, and HR is actually undervaluing the risk/value of salary lists.

The purpose of this diversion is simply to assert that most valuations will involve some degree of subjectivity at some point. But despite this caveat, the Ponemon/DocAuthority report is a major and valuable piece of research. In general, it would be a reasonable assumption that data owners are the best judge of the value of that data. Indeed, Larry Ponemon told SecurityWeek, "If you look at the standard deviation between the values retuned by the function closest to the data, it is relatively low. In other words, it is homogenic, and homogeneity is good -- it suggests the figures are basically true."

It is the value of different types of informational asset that varies considerably. "Only around 5% of data retained by businesses will be crucial to running the current and future organization," comments Steve Abbot, CEO at DocAuthority. "Despite this, most businesses still apply unrepresentative, or 'one size fits all' levels of security to their data assets. Businesses need to consider how they can take a more strategic and cost-effective approach by identifying critical data that is worth security investment."

There is a further value to this research -- it is exactly the type of research that will benefit cyber insurance. "I think this could be a great tool for insurance," Larry Ponemon told SecurityWeek, "because they're having a hard time trying to underwrite the potential risk. This is one way to do that."

Ariel Peled, CTO and co-founder at DocAuthority, expanded, "I had a recent conversation with one of the biggest cyber insurance firms. They told me this is exactly what they were looking for because they are struggling with understanding what is going to be the impact of data loss."

His concern is that the current lack of understanding is causing a mismatch between premiums and required payouts -- insurers are keeping both arbitrarily low.

"Insurers don't charge a lot -- but nor do they pay a lot," he continued. "This is a problem because the larger companies need to have serious insurance. A major breach could take a company down completely. So, having insurance of magnitude is mandatory; which requires a better way to have insurance accurately tied to the cost of loss. Property can be insured for the cost of rebuilding. With this research, insurance can accurately assess the value of the company's assets in order to more accurately relate premiums to the cost of rebuilding the asset or the company."

"The big issue for cyber insurance," added Ponemon, "remains the valuation problem -- what is the true value of the asset if it is damaged or lost. That's why I think our approach in really trying to determine the economic value of all these different types of data is seminal. I think this has real potential, not just for cyber security risk management, but also the application of cyber insurance."

Atlanta, GA-based firm DocAuthority raised $10 million in a Series A funding round led by Raine Ventures, with the participation of Greycroft, ffVC, Differential VC in the US, and 2B Angels and Plus Ventures in Israel in June 2018. It brings artificial intelligence to the discovery and classification of unstructured data.

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.